DMZ and iptables breaks my head!!! Avanced Help please!!!!

Ok, now, keep the same firewall rules as it was in previous test and do telnet from computer with 2 NIC:

telnet 192.168.222.22 80

I guess that Debian Lenny is putting a bug or lock in low layer Ethernet or TCP/IP protocols... ?????????????

I remember that this OS is an upgrade from Debian Etch (Debian v. 4.0) to Debian Lenny (v. 5.0).

It is impossible to install Lenny (v. 5.0) in my server once, at the same time from the same CD. Is a old Compaq Proliant 3000.
In Lenny installer kernel modules, the IDE compatibility was removed, and for that reason HP SCSI ARRAY was not recognized and was not possible to access the RAID 5 and create it (server have 7 SCSI disk on array).

Then I should install the older version (Etch 4.0) and after it was installed Lenny. For this I performed repeated "aptitude safe-upgrade" and "aptitude dist-upgrade". This upgraded v. 4.0 Etch to current v 5.0 Lenny.

I wonder if this form of installation will have left a bad patch or undocumented incompatibility...

Regards

Ok, now, keep the same firewall rules as it was in previous test and do telnet from computer with 2 NIC:

telnet 192.168.222.22 80

BINGO!!!!!!!!!!!!!!!!

Wow!! I hope that "Bingo" means the issue is solved!?!? Or at least the problem is identified?? I read through this thread earlier and admit I became quite at a loss as to what was going on.

Kudos goes to nimnull22 for determinedly persevering despite the very tricky-seeming nature of this problem -- @ numnull2

And congratulations to MikeHammer for sticking with the problem and not giving up! I hope this continues to work out for you

Sasha

We solve only half of it problem, because firewall allow everything.
Now we have to add rule by rule to make it suitable for use.
Please, I want to give some names to you computers:
1. Computer with 3 NIC = "firewall"
2. Computer with web server = "server".
3. Computers in 192.168.111.x = "client"

Please, if you agree with that name, use them and never confuse.
If you do not like its names - give others.
Firewall rules, which you use for last test = "Rules_new"

So please, load "Rules_new" and do:
lsmod |grep ip
Post output please.

Thanks

Quote:

Originally Posted by GrapefruiTgirl Wow!! I hope that "Bingo" means the issue is solved!?!? Or at least the problem is identified?? I read through this thread earlier and admit I became quite at a loss as to what was going on. Kudos goes to nimnull22 for determinedly persevering despite the very tricky-seeming nature of this problem -- @ numnull2 And congratulations to MikeHammer for sticking with the problem and not giving up! I hope this continues to work out for you Sasha

Thanks GrapefruiTgirl ,
All credit goes to the scholarship and stoic patience of nimnull22 and, after, to my persistence in the face of adversity ...

I'm very happy to be in this very special forum, where attitudes like nimnull22 and yours (which involved a moderator and it's not common in general ...) are not random. Because the forum are encouraging them.

Quote:

Originally Posted by nimnull22 We solve only half of it problem, because firewall allow everything. Now we have to add rule by rule to make it suitable for use. Please, I want to give some names to you computers: 1. Computer with 2 NIC = "firewall" 2. Computer with web server = "server". 3. Computers in 192.168.111.x = "client" Please, if you agree with that name, use them and never confuse. If you do not like its names - give others. Firewall rules, which you use for last test = "Rules_new" So please, load "Rules_new" and do: lsmod |grep ip Post output please. Thanks

OK, master

Send file lsmod.txt

Now, out of curiosity, the output of "lsmod | grep ip" from the server with script firewall original (that's origen of problem... ).
Send file lsmod_from_orig_firew.txt

Thanks

Please, send:
1. iptables-save from "firewall" compuret (3 NIC)
2. iptables-save from "server" computer

I want to be sure I have the same as you.

Thanks

I send you output iptables-save you asked. I warn you that in "firewall", the iptables script don't have port 80 open. This for prevent, while we doing testing servers and NIC eth0 is unneeded, the port scanning from Kaspersky Forum...

Thanks

Before, we start to do anything, I would like to check something.
1. Are you able to telnet from outside to your "server"?
2. Are you able to telnet from "firewall" to your "server"?
3 .Are you able to telnet from any "clients" to your "server"?

telnet 192.168.222.22 80.

Thanks

1. Are you able to telnet from outside to your "server"? --> YES!!!

2. Are you able to telnet from "firewall" to your "server"? --> YES!!!

3 .Are you able to telnet from any "clients" to your "server"? --YEAAAHH!!!

I tested with "rules_new" with FORWARD DROP and FORWARD ACCEPT. Both chains works...

Regards

So, if you can use main features of your network we can live everything like this.
It will work.
But, still there is "but", I want you to understand the situation:
1. main firewall right now is "firewall" computer, "server" does not filter anything.
that is not bad, that is how it should be.
2. your "firewall" does not have any rules to restrict access to "server" from certain IP addresses, anyone who want to connect to your port 80, will be redirected to "server". If you want to add additional rules, add them to "firewall" rules script.
3. your "server" can initiate an outgoing connection and it will go out. So if you want to prevent it, modify rule on "firewall"

If I find something else I will write.
If you do not see any problems, just live it like this.

OK, I'm very grateful to you.

You is a notable support on forum but also you are a consistent helper who don't talk about bullshit and goes to target with excelent precission. My respects colleague

One fact more.
Could I attemp chains DROP or this was the trouble???

Regards